Before this week, few people were aware of SolarWinds, a Texas-based software company that provides essential computer network surveillance services to businesses and government agencies around the world.
But the revelation that elite cyber spies have been secretly abusing SolarWinds software for months By looking into computer networks, many of its leading clients at national governments and Fortune 500 companies are on high alert. And it raises questions about how quickly company insiders learned about the security vulnerabilities when the largest investors sold stock.
Founded in 1999 by two brothers in Tulsa, Oklahoma, in anticipation of the dreaded turn of the millennium of the Y2K computer bug, the company’s website says the first product “hit the ground running to help IT professionals deal with everyone’s world-ending fears.” to win”.
This time it is the products that cause fears. The company began warning about 33,000 of its customers on Sunday that a “foreign state” – widely believed to be Russia – had found a back door to some updated versions of its flagship product, Orion. The ubiquitous software tool, which helps organizations monitor the performance of their computer networks and servers, had become a tool for spies to steal information unnoticed.
“They are not a household name like Microsoft is. That’s because their software is in the back office, ”said Rob Oliver, a research analyst at Baird who has followed the company for years. “Employees could have spent their entire career without hearing about SolarWinds. But I guarantee that your IT department is aware of this. “
Now many other people know about it too. One of SolarWinds’ clients, the prominent California cybersecurity company FireEye, was the first to discover the cyber espionage operation. FireEye revealed earlier this month that its own systems were compromised by attackers who ran off with its defensive hacking tools. Among the other revealed spy targets were the United States Treasury and Commerce Departments.
The Department of Homeland Security’s cybersecurity unit this week ordered all federal agencies to remove the compromised software and thousands of companies should do the same.
Among the business sectors struggling to protect their systems and assess potential information theft were the power industry, defense contractors, and telecommunications companies.
The breakthrough has sparked a crisis for SolarWinds, which is now based in the hilly suburbs of Austin, Texas. The compromised product accounts for nearly half of the company’s annual sales, which totaled $ 753.9 million in the first nine months of this year. Stock is down 23% since the start of the week.
Moody’s Investors Service said on Wednesday that it wanted to lower its rating for the company, citing the “potential for reputational damage, material loss of customers, a slowdown in business performance and high recovery and legal costs.”
Longtime SolarWinds CEO Kevin Thompson had indicated months earlier that he would be leaving at the end of the year as the company explored to build one of its divisions. SolarWinds’ board appointed his replacement, current PulseSecure CEO Sudhakar Ramakrishna, on December 7, according to a financial filing, one day before FireEye first publicly released the hack on its own system and two days before the change of CEO was announced. .
It was also on December 7 that the company’s two largest investors, Silver Lake and Thoma Bravo, who control a majority stake in the publicly traded company, sold more than $ 280 million worth of shares to a Canadian public pension fund. The two private equity firms said in a joint statement that they were “unaware of this potential cyber attack” at the time of selling the stock. It was six days later when SolarWinds made the breach public.
In any case, the hacking operation started back in March, when SolarWinds customers installing updates for their Orion software unwittingly welcomed hidden malicious code that could give intruders the same view of their corporate network as internal IT teams. FireEye described the malware’s dizzying capabilities – from initially lying dormant to two weeks, to hiding in plain sight by masquerading as Orion activity.
FireEye said on Wednesday that it had identified a “kill switch” that prevents the malware used by the hackers from working. But while that disables the original back door, intruders are not removed from systems where they have created various ways to remotely access victims’ networks.
SolarWinds executives declined interviews through a spokesperson, citing an ongoing investigation into the hacking operation involving the FBI and other agencies.
“This is an unimaginable, unfortunate situation,” said Oliver. “SolarWinds products have always been reliable. His value proposition is all about reliability. ”
Thompson’s last few weeks at the helm will likely be spent responding to scared customers, some of whom are also haunted by marketing tactics that may have been targeted by SolarWinds and its high profile clients.
The company removed a webpage earlier this week listing dozens of its best-known clients, from the White House, the Pentagon and the Secret Service to the McDonald’s restaurant chain and Smithsonian museums.
The Associated Press is one of SolarWinds’ reported hundreds of thousands of customers, although the news agency said it did not use the compromised Orion products. SolarWinds estimated in a financial statement that about 18,000 customers had installed the compromised software, meaning many of them were vulnerable to espionage operations sometime this year.
FireEye, without naming specific targets, has said it has confirmed infections in North America, Europe, Asia and the Middle East, including in the healthcare and oil and gas industries – and has informed affected customers around the world.
___
AP Technology writer Frank Bajak in Boston contributed to this report.